1. 05 Jul, 2002 1 commit
    • Robert Ricci's avatar
      Bug fix. exports_setup specifically excludes home directories of · f9530c20
      Robert Ricci authored
      users that aren't approved into the project (actually, the group.)
      But, tmcdd was looking at whether or not the user was active. Thus,
      in the unlikely case that you have a user who is active (probably
      from being in another project,) but has not yet been approved into
      this group, tmcd decided that their home directory should be
      mounted, but exports_setup hadn't exported it.
      f9530c20
  2. 21 Jun, 2002 1 commit
  3. 19 Jun, 2002 1 commit
    • Leigh B. Stoller's avatar
      Make isalive a real command (usable from tcp as well as UDP). · efaa3cda
      Leigh B. Stoller authored
      Return the update_accounts flag so that the client knows to
      update accounts. This flag is set in node_update for remote nodes.
      Once the client picks up accounts, decrement the update_accounts flag.
      This functions a simple barrier (up/down counter so that clients
      do not miss).
      efaa3cda
  4. 13 Jun, 2002 1 commit
  5. 12 Jun, 2002 1 commit
    • Leigh B. Stoller's avatar
      A minor ("30" minute) hack to support widearea keepalive. If a remote · 1bfee4eb
      Leigh B. Stoller authored
      node connects with UDP, update the nodes table status with 'up' and the
      current time. This is the only thing that can happen when a remote
      node connects with UDP (since there is no ssl). The idea is that a
      daemon on the remote nodes will wake up periodically and send in a UDP
      packet that says its alive. Since the idea is to be low overhead, I'm
      using a UDP packet for now, which means I can run it fairly often on
      all the clients, without it being too much of a drain. By its nature,
      if the remote node can start up tmcc and get a udp packet out, its
      probably in good shape. Maybe we will find out this does not work, but
      if so I will have lost only "30 minutes". See related changes in
      db/node_status.in.
      
      Also, add the code that kicks out remote nodes that connect with tcp
      but no ssl (it was commented out while I originally updated the ron
      nodes with the new tmcc stuff).
      1bfee4eb
  6. 06 Jun, 2002 1 commit
  7. 30 May, 2002 1 commit
  8. 28 May, 2002 1 commit
  9. 23 May, 2002 1 commit
  10. 14 May, 2002 1 commit
  11. 07 May, 2002 2 commits
  12. 01 May, 2002 1 commit
  13. 30 Apr, 2002 2 commits
  14. 29 Apr, 2002 1 commit
  15. 24 Apr, 2002 1 commit
    • Leigh B. Stoller's avatar
      Some virtual node support. In order to distinguish what virtual node · c2d82df7
      Leigh B. Stoller authored
      (on the physical node the tmcd request is coming from) look for a
      VNODE= tag in the request (similar in operation to VERSION=). If there
      is a vnode tag, then check for that mapping (in the nodes table). The
      vnode must map to the physical node making the request (in iptonodeid()).
      If so, replace the nodeid with the vnodeid for the remainder of the
      session. Currently no permission checking, so a vnode could ask for
      another vnode's account data (on the same physical node of course). At
      some point we need to either generate per vnode certs (perhaps on the
      fly) or just cons of a secret key and pass it over. Not going to worry
      about it for now, since the only people who will be allowed to
      allocate virtual nodes are trusted anyway.
      c2d82df7
  16. 16 Apr, 2002 1 commit
  17. 15 Apr, 2002 1 commit
    • Leigh B. Stoller's avatar
      Add static routing support: · d881770b
      Leigh B. Stoller authored
      	# Turn on manual routing.
      	$ns rtproto Manual
      
      	# Set manual routes
      	$nodeA add-route $nodeC $nodeB
      	$nodeC add-route $nodeA $nodeB
      
      results in this information being returned from the tmcd routing
      command:
      
      	ROUTERTYPE=manual
      	ROUTE DEST=192.168.2.3 DESTTYPE=host DESTMASK=255.255.255.0 \
      		NEXTHOP=192.168.3.2 COST=0
      
      The reason for DESTTYPE and DESTMASK is so that we can also support
      routing to links and lans, since doing it on a per host basis if not
      only hugely tedious, but plain impossible if the destination node has
      multiple links; the add-route syntax takes a node, but we need the IP
      of the relevant link in order to run the route add commands on the
      nodes. So, I've "extended" the syntax of add-route so that you can
      give it a Link or a Lan as the dest:
      
      	$nodeA add-route $link0 $nodeB
      	$nodeA add-route [$ns link $nodeB $nodeC] $nodeB
      
      In this case, the DESTTYPE=net, and the netmask is no longer ignored;
      it is used in the route add command. Currently, the mask is hardwired
      in the DB to 255.255.255.0, but by providing it in the tmcd command,
      we change it later if needed.
      
      I did not implement add-route-to-adj-node since that is not really
      useful in our context, and we definitely do not want the user to
      change the default routes on his nodes. But, its easy to add if we
      need to.
      
      The client side stuff is not done yet.
      d881770b
  18. 11 Apr, 2002 1 commit
  19. 10 Apr, 2002 2 commits
    • Leigh B. Stoller's avatar
    • Leigh B. Stoller's avatar
      A fair amount of cleanup, both of the ssl stuff and of tmcd in general. · 40d072cf
      Leigh B. Stoller authored
      Deal with ssl/nossl clients; at Chad's suggestion add a small handshake
      tag to ssl enabled tmcc/tmcd which tells tmcd that it needs to enter
      full SSL mode. This allows old tmcc to connect to an ssl enabled tmcd,
      and still work okay.
      
      I've also ironed out the verification stuff. At the client, we make sure
      that the CommonName field of the peer cert maps to the same address that
      we connected to (bossnode).
      
      At the server, we check the OU field of the cert (we create the client
      certs with the OU field set to the node type; a convention I made up!).
      It must match the type of the node, as we get it from the nodes table.
      Also check the CommonName to make sure it matches our hostname. This is
      by no means bulletproof, but perfection is costly, and we don't have the
      money!
      
      Also cleaned up the REDIRECT testmode stuff. Instead of ifdef'ed under
      TESTMODE, leave it compiled in all the time, but only allow it from the
      local node (where tmcd is running). Mere users will not be able to
      access it, but testbed people can use it since they have accounts on the
      boss node.
      40d072cf
  20. 09 Apr, 2002 1 commit
  21. 04 Apr, 2002 1 commit
    • Leigh B. Stoller's avatar
      First round of ssl'ification of tmcd/tmcc. This needs to be looked at · ffe40d2e
      Leigh B. Stoller authored
      by smarter brains by me (I have asked Dave to look it over). Anyway ...
      
      I added a top level ssl directory which has a bunch of goo for
      creating certificates and keys.  I currently create a Certificate
      Authority, a server certificate, and a client certificate. The private
      keys for all three are unencrypted, so no password is required. All
      key/cert combos can be installed on boss. The client side needs the
      key/cert pair (in one file), and the CA cert (no key!). There are
      install targets to do this. NOTE, you do not want to create/install
      these without being careful, since you could instantly invalidate all
      the clients!
      
      I have added the necessary SSL routines to tmcd/tmcc. See the ssl.c
      and ssl.h file. I have set it up so that with all you need to do is
      uncomment three lines in the makefile, and accept,connect,read,write,
      and close are redirected to SSL'ified versions in ssl.c. The current
      security model is that the client and server both "demand" certificate
      verification from the other side (as opposed to just server side
      verification). tmcd reads in server.pem, while tmcc reads in
      client.pem. Both read in the emulab.pem (CA cert with no private
      key).
      
      Initial testing indicates I have done this at least partially
      correctly. Whoever invented this stuff has a really twisted mind
      though. There are some questions at the top of ssl.c that need to be
      answered.
      
      Oh, also redid all the syslog stuff throughout tmcd.
      ffe40d2e
  22. 03 Apr, 2002 2 commits
  23. 02 Apr, 2002 1 commit
  24. 29 Mar, 2002 1 commit
  25. 28 Mar, 2002 3 commits
    • Robert Ricci's avatar
    • Robert Ricci's avatar
      Added code in dostate() to chomp whitespace off the end of the new · a4921502
      Robert Ricci authored
      state string. This was causing (tremendously frustrating) problems
      elsewhere.
      a4921502
    • Leigh B. Stoller's avatar
      Add versioning support. This has been a minor problem, and is going to · 2d522296
      Leigh B. Stoller authored
      be a worse problem with remote nodes, where we will not be able to
      keep everyone up to date like we can in the local testbed case. I ran
      into this yesterday with the key distribution stuff for RON nodes,
      which require incompatable changes to the accounts info that is
      returned. So, tmcc now takes a [-v version] argument, which is passed
      through to tmcd in the request field. tmcd passes that version number
      (assumed to be an int) down, and the routines should look at that. We
      will need to make some structural changes in tmcd as we get more
      version skew, but for now this is fine. Anyway, tmcd/tmcc have a
      compiled in DEFAULT_VERSION (see decls.h). If no version is supplied,
      assume DEFAULT_VERSION (2), which covers all of the old images and yet
      to be updated current images. As the new tmcc makes it out, versions
      will be sent through. VERY IMPORTANT: The current version is placed in
      libsetup.pm. When you make incompatible changes, bump the version
      number is decls.h and libsetup.pm, recompile and install a new tmcc
      and the new libsetup.pm on the clients (and of course, tmcd on the
      server).
      
      Fixes to termination; Add signal handlers for HUP,INT,TERM, and make
      sure all the children get killed off before exiting. We still have
      some problems though; I think the children should wait until the
      current request is completed before exiting. I'll give that some more
      thought though since it easy to mess that stuff up (leave zombies).
      
      Add build_info[] to startup message to syslog. Good for debugging.
      Some minor cleanup and restructuring. Mike is gonna hate it.
      2d522296
  26. 27 Mar, 2002 2 commits
  27. 26 Mar, 2002 1 commit
  28. 25 Mar, 2002 1 commit
  29. 13 Mar, 2002 1 commit
  30. 12 Mar, 2002 1 commit
  31. 11 Mar, 2002 3 commits
    • Leigh B. Stoller's avatar
    • Leigh B. Stoller's avatar
      0aa49acd
    • Leigh B. Stoller's avatar
      Initial version of RED/GRED support. Chris is going to have to finish · f35ce7e3
      Leigh B. Stoller authored
      this off, but here is what I did.
      
      Parser: Allow for the following syntax
      
      	set link0  [$ns duplex-link $nodeA $nodeB 100Mb 0ms RED]
      	set queue0 [[$ns link $nodeA $nodeB] queue]
      	$queue0 set gentle_ 1
      	$queue0 set queue-in-bytes_ 0
      	$queue0 set limit_ 50
      	$queue0 set maxthresh_ 20
      	$queue0 set thresh_ 7
      	$queue0 set linterm_ 11
      	$queue0 set q_weight_ 0.004
      
          NB: This differs from the NS syntax (and is the part that Chris
          needs to fix) in that there is just a single queue object per
          duplex link, thus the parameters cannot be set asymmetrically.
          Note, the delay node *does* use a RED/GRED queue in each
          direction, but its params are the same. These TCL hacks took a
          long time for me to get right!
      
          Also note that I have no idea how this stuff relates to LANS! I
          do not allow LANS to be created with RED queues (another item for
          Chris to work on perhaps?).
      
      assign_wrapper: A horrible hack to pass the new fields added to
      virt_lans onto the delays table setup. Also another minor hack ensure
      that a delay node is added when a RED queue is used (for the case when
      no other traffic shaping is done). At the moment, the virt_lans table
      has a single set of fields, while the delays table has the double set;
      one for each direction of the pipe. Here is a listing.
      
          alter table delays add q0_limit int default 0 after lossrate0;
          alter table delays add q0_maxthresh int default 0 after q0_limit;
          alter table delays add q0_minthresh int default 0 after q0_maxthresh;
          alter table delays add q0_weight float default 0.0 after q0_minthresh;
          alter table delays add q0_linterm int default 0 after q0_weight;
          alter table delays add q0_qinbytes tinyint default 0 after q0_linterm;
          alter table delays add q0_bytes tinyint default 0 after q0_qinbytes;
          alter table delays add q0_meanpsize int default 0 after q0_bytes;
          alter table delays add q0_wait int default 0 after q0_meanpsize;
          alter table delays add q0_setbit int default 0 after q0_wait;
          alter table delays add q0_droptail int default 0 after q0_setbit;
          alter table delays add q0_red tinyint default 0 after q0_droptail;
          alter table delays add q0_gentle tinyint default 0 after q0_red;
      
      tmcd/tmcd.c: Change dodelays to pass back all of these fields (for
      both pipes; there are equiv q1 fields in the delays table). Yikes! Its
      done in a backwards compatable manner though, so existing delay nodes
      will continue to work just fine.
      
      tmcd/freebsd/liblocsetup.pm: Change the delays configuration script to
      get all these fields and do something useful with. Of course, our
      delay nodes cannot use a lot of these fields, but the information is
      sent through for the eventuality that we have more sophisticated
      delays nodes.
      
      Test Suite: Add red test dir that has the above syntax as its test.
      f35ce7e3